How The Hack Volume I: Phineas Fisher Part II
A peek inside the mind of one the worlds most elusive Hacktivist
Table of contents
No headings in the article.
The Hacking Team is a team of professional hackers, there is a reason why governments around the world use their services. The exploit kits they build work, when it comes to computers they know what they're doing. We don't know what defensive measures and tactics the Hacking Team used to protect themselves but it's fair to say that HT isn't a regular company where half the SOC team is watching YouTube all day while "working remotely".
Quite a bit of ego goes into hacking because so few people understand it. When a hacker adopts a persona and can hide their real identity from the public the worst parts of themselves tend to start to see the light. Destroying someone's reputation post-hack is a method of propaganda. Talking sh!t might deserve a place in MITRE&TCCK post-exploitation tactics.
Phineas Fisher wants to both entertain the reader and embarrass the Hacking Team by making things look easy. This gives the impression that the Hacking Team is a bunch of chumps who don't know what they're doing. However, hindsight is 20/20 and we're only getting Fisher's side of the story.
Poking fun at HT members and exploiting basic vulnerabilities in their systems certainly will give us a few laughs and a sense of awe, but we don't get to see and feel the intense frustration Phineas encountered while trying to breach the team nor can we feel the psychological pressure of potentially facing extradition and prison time for what is in their own words "hacktivism".
Many hackers deploy a tactic known as "living off the land" where they will use binaries, scripts and commands on a compromised system to carry out post-exploitation tasks like recon, privilege exploitation and consolidation. Living off the land has become a widespread tactic because it is stealthy. Network traffic doesn't have to be generated downloading your kit, you don't have to worry about having about antivirus flagging your favorite open-source C2 framework. If done carefully living off the land can allow a user to masquerade as a regular sys admin.
Like all forms of strategy hacking and defensive tactics evolve. Blue teams have wisened up to LOTL by stripping their systems of useful things like Netcat and Python interpreters. An attacker on their system finds themselves in a barren wasteland where they can't do anything.
Once inside the HT network, Phineas knows that they can't download their favorite post-exploitation tools nor are they foolish enough to think that running a reverse shell with Netcat or Powershell will make it past the IDS. They anticipate facing a hardened environment so they bring their toys to the party:
"I did a lot of work and testing before using the exploit against Hacking Team. I wrote a backdoored firmware, and compiled various post-exploitation tools for the embedded device. The backdoor serves to protect the exploit. Using the exploit just once and then returning through the backdoor makes it harder to identify and patch the vulnerabilities."
The armada of post-exploitation toys he brings along is almost exclusively for network enumeration. Keep in mind that hacking is an art of deception, these are only the tools he tells us about. A sword has two edges, most of the " weapons" he uses are just regular things used by sys admins. He is repurposing Nmap, tcpdump, responder.py, and a Python interpreter for malicious purposes.
Fisher begins recon on the Hacking Teams LAN by running Responder in passive mode, they aren't generating any network traffic just listening in as packets fly back and forth between systems. This provides quite a bit of information, they will know the IP and MAC addresses of systems and get a general understanding of the traffic between systems.
Nmap is everybody's favorite tool, it is powerful but when used improperly it can generate more than enough traffic to wake up the SOC team. Phineas reports running a "slow scan with nmap" but unfortunately did not provide any other details regarding the flags, scripts or additional customizations they used. As a fan of computer security, it pains me that the finer details were left out. Perhaps these were omitted as an OPSEC precaution.
Once the lay of the LAN is established the hacker does what any hacker would do and stars looking for misconfigured, outdated and otherwise exploitable software to abuse. Inevitably, Fisher stumbles onto something useful:
"NoSQL, or rather NoAuthentication, has been a huge gift to the hacker community. Just when I was worried that they'd finally patched all of the authentication bypass bugs in MySQL, new databases came into style that lack authentication by design. Nmap found a few in Hacking Team's internal network"
Sometimes you have to spend hundreds of hours looking for a 0-day and creating an exploit toolchain for a hardened database. Other times you walk in and find troves of data completely unprotected. Even in networks run by professional hackers, we find the latter. Although these two processes are very different in the effort and skill they require to execute the result is fundamentally the same, that being a compromised system.
I do believe that Phineas Fisher genuinely dislikes the Hacking Team for their sale of spyware to authoritarian governments. No one likes totalitarianism but the neo-Marxist undertones of Fisher's earlier works are quite frankly something only a complete idiot could believe. The political opinions espoused by the author could be a series of false flags to throw off investigators or they could be claiming to be gender fluid simply for the Lulz. We can't know Phineas's real opinions, after all, they're a criminal. Regardless of your political opinions regarding the ability of government bureaucrats to read your text messages, access your camera, and listen in on your conversations, you can probably imagine how good it feels to hack someone whom you loathe.
While poking around the database Fisher finds video recordings of the HT testing their malware. This is just the tip of the iceberg, spoiler alert he ends up getting Domain Admin and access to the corporate Twitter account. But the route to privillege escalation is through insecure backups:
"Their insecure backups were the vulnerability that opened their doors. According to their documentation, their iSCSI devices were supposed to be on a separate network, but nmap found a few in their subnetwork 192.168.1.200/24"
He then goes on to list a series of commands for some port forwarding magic and mounting the device files to access the backups on his VPS. Note that as with the database, the SCSI devices and the backups lacked authentication mechanisms and encryption.
With the backups the author tries to dump some of the passwords, hoping that they are still valid for the live network:
" What interested me most in the backup was seeing if it had a password or hash that could be used to access the live server. I used pwdump, cachedump, and lsadump on the registry hives. lsadump found the password to the besadmin service account:
SCBlackBerry MDS Connection Service 0000 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0010 62 00 65 00 73 00 33 00 32 00 36 00 37 00 38 00 b.e.s.3.2.6.7.8. 0020 21 00 21 00 21 00 00 00 00 00 00 00 00 00 00 00 !.!.!........... "
Naturally, he tries this admin password on the live servers SMB share and is in luck because it still works. Phinease Fisher now has admin access to the Hacking Teams network. He continues to solidify his positioning by setting a Meterpreter and dumping more passwords on the live system with Mimikatz. Notice how the majority of the passwords end with "!", this tells us a lot about human nature:
" It worked! The password for besadmin was still valid, and a local admin. I used my proxy and metasploit's psexec_psh [4] to get a meterpreter session. Then I migrated to a 64 bit process, ran "load kiwi" [5], "creds_wdigest", and got a bunch of passwords, including the Domain Admin:
With the Domain Admin Fisher begins pillaging the company's Outlook emails. He graciously provides the reader with a series of technical asides on his favorite methods for Windows privilege escalation, persistence and pillaging. I'm leaving these out for brevities sake, the interested reader can find them in Fisher's original account.
Whilst rummaging through the emails he realizes that he is missing access to a subnetwork that is used to store HT source code. Because he is already a domain admin he has access to every workstation, however he can't access the network with the information he's already gathered because it's properly segmented, unlike the SCSI backups he encountered earlier. He gets around this hurdle by keylogging and screen grabbing:
" Reading their documentation about their infrastructure, I saw that I was still missing access to something important - the "Rete Sviluppo", an isolated network with the source code for RCS. The sysadmins of a company always have access to everything, so I searched the computers of Mauro Romeo and Christian Pozzi to see how they administer the Sviluppo network, and to see if there were any other interesting systems I should investigate. It was simple to access their computers, since they were part of the windows domain where I'd already gotten admin access. Mauro Romeo's computer didn't have any ports open, so I opened the port for WMI and executed meterpreter. In addition to keylogging and screen scraping with Get-Keystrokes and Get-TimeScreenshot, I used many /gather/ modules from metasploit, CredMan.ps1, and searched for interesting files. Upon seeing that Pozzi had a Truecrypt volume, I waited until he'd mounted it and then copied off the files. Many have made fun of Christian Pozzi's weak passwords (and of Christian Pozzi in general, he provides plenty of material ). I included them in the leak as a false clue, and to laugh at him. The reality is that mimikatz and keyloggers view all passwords equally."
He continues to spread across the network finding passwords in the plain text files of true crypt volumes and eventually gets full access to the git repos, which I'll remind you contain the source code for their exploit kits. To top it all off he accesses their Gitlab server and Twitter account simply by using the "forgot password" feature with the corporate email accounts that he's had access to for some time now.
The conclusion to his write-up speaks for it self. I can't do any justice for it so I'll leave it here for you to enjoy. Thanks for reading!
" That's all it takes to take down a company and stop their human rights abuses. That's the beauty and asymmetry of hacking: with 100 hours of work, one person can undo years of work by a multi-million dollar company. Hacking gives the underdog a chance to fight and win.
Hacking guides often end with a disclaimer: this information is for educational purposes only, be an ethical hacker, don't attack systems you don't have permission to, etc. I'll say the same, but with a more rebellious conception of "ethical" hacking. Leaking documents, expropriating money from banks, and working to secure the computers of ordinary people is ethical hacking. However, most people that call themselves "ethical hackers" just work to secure those who pay their high consulting fees, who are often those most deserving to be hacked.
Hacking Team saw themselves as part of a long line of inspired Italian design. I see Vincenzetti, his company, his cronies in the police, Carabinieri, and government, as part of a long tradition of Italian fascism. I'd like to dedicate this guide to the victims of the raid on the Armando Diaz school, and to all those who have had their blood spilled by Italian fascists. "